From 5ca55d2efcc853c5519a733af43392e4c1c0c8d0 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 19 Jan 2023 13:21:12 -0300 Subject: [PATCH] doc: add meeting minutes 19-01 Co-authored-by: Ulises Gascon --- meetings/2023-01-19.md | 63 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 meetings/2023-01-19.md diff --git a/meetings/2023-01-19.md b/meetings/2023-01-19.md new file mode 100644 index 00000000..530587c3 --- /dev/null +++ b/meetings/2023-01-19.md @@ -0,0 +1,63 @@ +# Node.js Security WorkGroup Meeting 2023-01-19 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=qzLZbdHSfZE +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/862 +* **Minutes Google Doc**: https://docs.google.com/document/d/1poZvCtSlrw7aPjldNwHyJUToZu7RsBlnFDRV5VpIDtg/edit + +## Present + +* Security wg team: @nodejs/security-wg +* Rafael Gonzaga: @RafaelGSS +* Ulises Gascon: @UlisesGascon +* Thomas GENTILHOMME: @fraxken +* Robert Waite +* Joe Sepi: @joesepi +* Joyce Brum from GOSST @joycebrum +* Gabriela Gutierrez from GOSST @gabibguti +* Pedro Nacht from GOSST @pnacht +* Diogo Sant'Anna from GOSST @diogoteles08 +* Michael Dawson @mhdawson + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + +### nodejs/security-wg + +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) +* Add OSSF Scorecard [#851](https://github.com/nodejs/security-wg/issues/851) + * Discussion with GOSST about implementing it on Node.js + * The Nodejs currently report is located [here](https://deps.dev/project/github/nodejs%2Fnode), also [json version available](https://api.securityscorecards.dev/projects/github.com/nodejs/node) + * Agreement to update action version tag by hash in GHA, following [this example](https://app.stepsecurity.io/secureworkflow/nodejs/node/coverage-linux.yml/main?enable=pin), lead by GOSST + * Agreement to add/document the next steps in [this issue](https://github.com/nodejs/security-wg/issues/859) in order to provide a good context for the following PRs and TSC Meetings, lead by GOSST + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + +* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856) + * We will discuss this issue as first topic in the next meeting + +* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828) + +* Permission Model [#791](https://github.com/nodejs/security-wg/issues/791) + * Got 3 approvals so far + * Remaining work: + * Windows issue to fix + * Native modules support + +### nodejs/nodejs-dependency-vuln-assessments + +* Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89) + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.